Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Vulnerability Numerology - Defective by Design?

Zonk posted more than 6 years ago | from the gaze-into-your-crystal-ball dept.

Security 103

rdmreader writes "RDM has a point by point disassembly of the security vulnerability story phenomenon. We regularly see these, comparing various vulnerability lists for different operating systems. ZDNet's George Ou, for example, condemns Linux and Mac OS X by tallying up reported flaws and comparing them against Microsoft's. What he doesn't note is that his source, Secunia, only lists what vendors and researchers report. Results selectively include or exclude component software seemingly at random, and backhandedly claims its data is evidence of what it now tells journalists they shouldn't report. Is Secunia presenting slanted information with the expectation it will be misused?"

Sorry! There are no comments related to the filter you selected.

LOL (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21779608)

FIRSTTROUT

Re:LOL (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#21779692)

Go suck on some nigger dick faggot

Who's reporting what? (0)

Amiga Lover (708890) | more than 6 years ago | (#21779696)

> Is Secunia presenting slanted information with the expectation it will be misused?

Yes. However Secunia only does this from time to time like most companies who realise the press is a tool to be used.

Unlike Roughly Drafted Magazine, which is the most sickening pandering fanboyism rubbish published on the net. Please. Eran gives real mac fanbois and girls a bad name

Re:Who's reporting what? (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#21780024)

halle-f'n-lujah. RDM is pure crap and daniel eran is a total f'n douche

I've never read that site before (1)

spun (1352) | more than 6 years ago | (#21780452)

And I never will again. He's as bad as the people he is criticizing, if not worse. He does exactly what he accuses the "Microsoft shills" of doing. From another article on the site: "I explained that he could just drag the application to the trash, and that in the Mac OS there are no DLL files to worry about."

Riiight. Mac OS doesn't have libraries. There are no possible library mismatch issues on Mac OS. Okay, buddy, whatever.

Re:I've never read that site before (1)

Jeremy Erwin (2054) | more than 6 years ago | (#21780734)

And I never will again. He's as bad as the people he is criticizing, if not worse. He does exactly what he accuses the "Microsoft shills" of doing. From another article on the site: "I explained that he could just drag the application to the trash, and that in the Mac OS there are no DLL files to worry about."

Riiight. Mac OS doesn't have libraries. There are no possible library mismatch issues on Mac OS. Okay, buddy, whatever."


his original post [roughlydrafted.com]

Look, have you ever used a Mac? Shared Libraries are versioned.

And the Mac has bundles [trolltech.com] , which keep applications and libraries together.

Quite frankly, this attitude reminds me of people who think that installing a new device driver under Linux entails a reboot. Traditions can be wrong.

Re:I've never read that site before (1)

spun (1352) | more than 6 years ago | (#21781392)

Yes, I've used a mac. And libraries are versioned under all operating systems. That doesn't always help. Sometimes minor version numbers aren't minor. The interface changes (when it shouldn't for a minor number change). Old bugs are fixed, breaking things that depend on them. New bugs are introduced.

Bundles are great, but we are talking about shared libraries! If each package has its own version of the library, they aren't shared, are they? If each program loads it's own version and doesn't look at what is already loaded, that's a shared library in name only. If it does look at the loaded version, then you have potential incompatibility issues. Which program starts first determines what version is loaded, and that can lead to really, really gnarly bugs.

You obviously don't understand how libraries work, and are spouting the Apple line, "It's all solved! There are no issues! Bundles! Bundles! BUNDLES!" Understand how things work before spouting your fanboyisms.

Re:I've never read that site before (0)

Anonymous Coward | more than 6 years ago | (#21782832)

Bundles are great, but we are talking about shared libraries! If each package has its own version of the library, they aren't shared, are they? If each program loads it's own version and doesn't look at what is already loaded, that's a shared library in name only.
We can stop right there, because if you'd taken ten seconds to research the issue instead of launching off into a speculative and completely inaccurate fantasy, you'd have learned that that's exactly the way it works. Shared libraries are either bundled with the OS (with guarantees covering how the versioning will work), or they're bundled in the application bundle and therefore shared in name only.

This isn't a big deal on a modern computer... sharing code was important when you were trying to accomodate 50 people in under a megabyte of memory, but now that everyone has their own individual gigabyte or more, it really doesn't make much difference if ten programs each load their own copy of a 100 kb library into memory, does it?

Re:I've never read that site before (1)

PastaLover (704500) | more than 6 years ago | (#21791078)

This isn't a big deal on a modern computer... sharing code was important when you were trying to accomodate 50 people in under a megabyte of memory, but now that everyone has their own individual gigabyte or more, it really doesn't make much difference if ten programs each load their own copy of a 100 kb library into memory, does it?
Er, not that I know how it works but what happens when version X.a till Y.n of that library have a security bug. How do you fix it across all applications?

Uh, no. You don't understand the issue at all. (1)

spun (1352) | more than 6 years ago | (#21800494)

Shared libraries are either bundled with the OS (with guarantees covering how the versioning will work),
Right. So, application A is developed for system library libFoo1.2.3. But the library has a bug in it. So app A developers write a work around. Now, the system library is patched in an update. Application B is written for this new version, without the workaround. Which do you run, A or B? Because you can't run both. All you've done here is to show your ignorance of the issue. And you don't help matters by claiming "Waste lots of memory" is an answer. Either you are using statically linked libraries and wasting memory, or, even though applications might have bundled shared libraries, if you get two applications that have different versions of the same bundled library, you have problems when you try to run them both because only the first version loaded will be used.

The funny thing is that you think the Mac way of doing things is somehow new or different, and therefore the problems can't happen on a Mac, when all you've done is described the way everyone has been doing things for decades.

Re:I've never read that site before (0)

Anonymous Coward | more than 6 years ago | (#21782582)

Quickly extimating the IQ / experience of posts in reply to Roughly Drafted articles indicates that frothing assholes hate him, and intelligent interesting people at least appreciate a lot of what's there, even if they don't agree with every opinion.

If you're so upset with the author, why would cite the remarks of a reader as "From another article on the site"? That's a bit disingenuous, because it wasn't Daniel Eran Dilger who wrote that, it was a reader comment. Is the best criticism you can make not even true? That says more about your credibility that Roughly Drafted's

He takes some time to get to the point, but its one of the best examples of broad+deep tech writing on the web. It regularly delivers fresh and interesting perspectives, even if you don't agree with his take on everything. The fact that few trolls like yourself are so up in arms about it indicates there's something you don't like, not that it's bad.

Re:I've never read that site before (0)

Anonymous Coward | more than 6 years ago | (#21782778)

If that is some of the "best examples of broad+deep tech writing on the web", then humanity is doomed. The reason people get mad about the site is he perpetuates a childish "us vs. them" mentality, he just takes the time to lay it out like USA Today. It may look professional, but that doesn't make the points presented any more legitimate.

Re:I've never read that site before (1)

PastaLover (704500) | more than 6 years ago | (#21791108)

The GP post was not made by a frothing asshole so there goes your theory out of the window. I read one article on roughly drafted (about iPods a while back) and it was badly researched, plain wrong, full of proof of assertion and generally insulting to everyone who didn't agree with the author. A bit like your comment really.

Re:I've never read that site before (1)

DECS (891519) | more than 6 years ago | (#21794898)

maybe you should stick to pasta then.

I'll buy you a pound of spaghetti if you can actually point out anything that was "badly researched, plain wrong, full of proof of assertion" (no dice for "generally insulting to everyone who didn't agree with the author," as that is a bit subjective among pasta/Zune fans.)

Seriously, put up or shut up with the baseless accusations.

The New Apple Patent: WGA Evil or iPhone Knievel? [roughlydrafted.com]
Is it true that Apple is racing to duplicate Microsoft's infamously evil WGA, or is it possible that Apple's patent describes something entirely different that leaps over the heads of industry pundits and performs a spectacular arc over the rows of broken down vehicles underneath (some of which may be on fire), to land a new platform and win applause for doing so?

 

Re:Who's reporting what? (1)

squiggleslash (241428) | more than 6 years ago | (#21780472)

Firefox users might find TheRaven64's [slashdot.org] advice useful WRT to making it a little easier to identify RD articles.

We MUST deny reality (0)

Anonymous Coward | more than 6 years ago | (#21785398)

Of course the reporting methods are flawed. If they report that there is ANYTHING wrong with Teh Lunix or OSX, we know they are just trying to pump up the price of all the stock Microsoft has paid them off with.

Because, as anyone here knows, OSX and Teh Lunix are perfect and flawless creations. Touched by the hand of SteveJob, or Teh Lunis himself.

So obviously, since Vista/IE7 have far, far fewer flaws than OSX or Teh Lunis, we can know just by that result there is a flaw in the reporting methodology. Our FUD is never wrong, and our FUD tells us that Microsoft is buggy and has to force people to use their software. Any evidence to the contrary must be denied without even being looked at, lest we taint our worldview with doubt.

Applied Reductionism ... (0)

foobsr (693224) | more than 6 years ago | (#21779776)

... with regard to security as expressed by the faith that pure frequencies are a proper means of assessing OS vulnerabilities must inevitably lead to misuse, since any use of such measurements is.

CC.

Numerology? (1, Insightful)

RyanFenton (230700) | more than 6 years ago | (#21779790)

<Skeptical Nitpick>
Did the guy who titled this know what the term Numerology [wikipedia.org] means? It's usually associated with wild "magical thinking" about numbers, and is at best a rather silly form of pseudomathematics.
</Skeptical Nitpick>

Ryan Fenton

Re:Numerology? (3, Insightful)

Spy der Mann (805235) | more than 6 years ago | (#21779850)

Did the guy who titled this know what the term Numerology means?

Exactly. IMHO, he's saying that Secunia vulnerability comparisons aren't any more reliable than numerology predictions.

Re:Numerology? (1, Funny)

Billosaur (927319) | more than 6 years ago | (#21780092)

No, I think he's saying if you apply numerology to trojans/virii, you can gain insight into their personalities...

Re:Numerology? (-1, Troll)

Anarke_Incarnate (733529) | more than 6 years ago | (#21780164)

Speaking of made up things, the word is viruses, not virii. Virii is a made up bastardization of an attempt to make the word seem Latin. Viri means men, Virii has no meaning, and as such, is made up.

Re:Numerology? (1)

pboulang (16954) | more than 6 years ago | (#21782220)

And yet it was used, and you knew exactly what it meant: hence, it is a perfectly valid word.

Re:Numerology? (1)

Anarke_Incarnate (733529) | more than 6 years ago | (#21782744)

Knowing what somebody means does not make it correct (or cromulent). Since it is not a word (much the way Ain't is not a word) then simply allowing people to bastardize two languages is simply incorrect.

Oh, and P.S.
Piss off, you wanker.

Re:Numerology? (1)

pboulang (16954) | more than 6 years ago | (#21788902)

And yet the dictionary adds words every single god damn edition. Those bastards! I assume you don't use words until your dictionary of choice adds them? How civilized of you. You are just now learning how language evolves. Your argument is wholly without merit, especially in this context.

Re:Numerology? (1)

Anarke_Incarnate (733529) | more than 6 years ago | (#21790112)

A dictionary adding words is fine, for when their exists no word to truly express the subtle meanings that the new word provides. We ALREADY HAVE a word to do EXACTLY what this "word" purports to do. That word is viruses. Don't grasp to the straws of failed logic because of a false sense of entitlement.
Using a "word" in the wrong context does not give that word new meaning. It simply makes you look stupid.

Re:Numerology? (1)

pboulang (16954) | more than 6 years ago | (#21801440)

A dictionary adding words is fine, for when their exists no word to truly express the subtle meanings that the new word provides.
Well, thank you for blessing us with your superior intellect and allowing dictionaries the right to do this. I'll contact them and have them send you a card.

Using a "word" in the wrong context does not give that word new meaning.
Quite possibly one of the most idiotic sentences ever written. Congratulations. That is EXACTLY why words have multiple meanings. Also EXACTLY why there are multiple words with the same meanings. Looking at denotation without connotation means living in obliviousness.

It simply makes you look stupid.
As does stomping your feet like a four year old. Regardless of the ridiculousness of the word "virii", its use is widespread and complaining about its use on a website (read: informal word usage is the norm) is insanely petty. Whether YOU think it is a word or not really doesn't matter to the rest of us.

Re:Numerology? (1)

Anarke_Incarnate (733529) | more than 6 years ago | (#21801612)

You are trying to educate me on petty behavior? You are the one who seems bent on proving your point. I let the facts speak for myself. If you want to break balls, perhaps you should find a different target. Mine are simply out of your league.

Re:Numerology? (1)

pboulang (16954) | more than 6 years ago | (#21801680)

bwahahahahah! You certainly haven't shown that, Whiney McCrybaby.

Re:Numerology? (1)

Anarke_Incarnate (733529) | more than 6 years ago | (#21802358)

Wow, how mature. Sure showed me....

Re:Numerology? (1)

gr8scot (1172435) | more than 6 years ago | (#21797130)

And yet the dictionary adds words every single god damn edition.
That could be put to a halt with the addition of one last word to the "English" language: "Slanglish," defined as a separate language composed of all slang vocabulary identified as commonly interspersed among proper English. Considering the limited vocabulary of most speakers of it, any argument for a need to add even more words to the English language has given its counterargument a 99% Head Start.

Re:Numerology? (1)

pboulang (16954) | more than 6 years ago | (#21801486)

Well, the beauty of English is that it is NOT a programming language with some governing body deciding on what is "official". Languages are defined not in some snapshot but how they are used. Dictionaries attempt to define, but are always playing catch-up. Interestingly, you should note that just as words are added,many are lost. It is in fact the dictionary's fault that we still have record of these unused words.

Re:Numerology? (1)

gr8scot (1172435) | more than 6 years ago | (#21801596)

Beauty: Do you believe the beauty of the French language is diminished by the Academie Francaise? If so, how do you explain its perception as the most beautiful and romantic of all the Romance languages?

Re:Numerology? (1)

pboulang (16954) | more than 6 years ago | (#21801658)

No, I was talking about the beauty of English. It far surpasses French in total number of words, and is also more able in different scenarios due to this. I was certainly not attempting to compare English and any other languages.

Re:Numerology? (1)

mhall119 (1035984) | more than 6 years ago | (#21782862)

And yet it was used, and you knew exactly what it meant: hence, it is a perfectly cromulent [wiktionary.org] word.
There, I embiggened that for you.

Re:Numerology? (0, Flamebait)

Selfbain (624722) | more than 6 years ago | (#21780176)

Of course you'd say that...you have the brainpan of a stagecoach tilter!

Re:Numerology? (4, Funny)

squiggleslash (241428) | more than 6 years ago | (#21780882)

Look, it's really quite simple what he's trying to say: If you add the letters of "ROUGHLYDRAFTED.COM" (A=1, Z=26, . = 0), you get 195. Add those digits together and you get 15. Again, add a third time and you get 6. So after adding the digits together three times, we get 6. Six repeated three times is "666", which is specified in the Bible as being the mark of the devil.

Now, if you do the same thing with "SECUNIA", you get 72. 7+2 = 9. And 9, added to itself, is 18, and its digits also add up to 9. So nine is obviously significant.

What does this mean? It's quite simple. The Devil, as specified by the Bible, is also what tempted Adam and Eve to take an Apple from the tree of knowledge. You see where this is going? ROUGHLYDRAFTED.COM is essentially saying that Apple is the source of knowledge. Whereas SECUNIA's, like, nine, or something.

Does this help?

Re:Numerology? (1)

sumdumass (711423) | more than 6 years ago | (#21781762)

Wow, You forgot to work in the in the hebrew language, W is the number 6. Actually, there isn't a W but once to translate English to Hebrew, W become a single U which is 6. So the entire World Wide Web WWW is 666 or the devil too.

Re:Numerology? (1)

Nazlfrag (1035012) | more than 6 years ago | (#21787684)

I always wondered why Apples apple had a little bite taken out of it.

Re:Numerology? (1)

Xabraxas (654195) | more than 6 years ago | (#21790836)

Now, if you do the same thing with "SECUNIA", you get 72. 7+2 = 9. And 9, added to itself, is 18, and its digits also add up to 9. So nine is obviously significant.

No, no. Nine isn't significant. You missed the easy explanation. 18 is 6 times 3. 666

Re:Numerology? (1)

paulatz (744216) | more than 6 years ago | (#21805492)

Actually 18 is 6 times 3.000

Re:Numerology? (2, Insightful)

irenaeous (898337) | more than 6 years ago | (#21783986)

. . . that Secunia vulnerability comparisons aren't any more reliable than numerology predictions.

I RTFA. He is not critical of Secunia per se. He quotes a lot from Secunia's advisories and claims that George Ou has misused the data. In other words, Ou is practicing Numerology with Secunia's numbers. Presumably then, Secunia's numbers can be used intelligently by others who know how to correctly interpret the data. His criticisms of Ou sound correct to me, but I don't care for all the extremely harsh ad hominem. It makes him look angry does not help.

Re:Numerology? (0)

Anonymous Coward | more than 6 years ago | (#21779858)

That's kind of the point.

Re:Numerology? (1)

mr_mischief (456295) | more than 6 years ago | (#21782200)

So you're saying "one vulnerability" on Windows which effects every program running on the OS being less significant than "100 vulnerabilities" in which different applications you might not have installed being exploitable, listed by each string of values that as input could be used in an exploit, is not "at best a silly form of pseudomathematics"? Perhaps you missed the point of the word as used.

About Secunia (3, Interesting)

Noryungi (70322) | more than 6 years ago | (#21779832)

Does Secunia present slanted information?

No, it just lists vulnerabilities. But it also lists them AND presents these two important things: (a) the importance of the vulnerability, and (b) whether or not it can be triggered through the network or not (local/remote vulnerability).

Furthermore, it separates Windows vulnerabilities in system and application vulnerabilities, if memory serves well. It's not able to do that with Linux, since different Linux distros incorporate different applications.

The matrix therefore becomes a lot more complicated. You can have a 'local only' problem (meaning: no remote exploitation) which can be considered as 'critical' on some Linux/BSD systems and not on others. You can have a remotely-exploitable problem which is critical on all systems that have application XYZ installed. But if I don't install XYZ (or if it's not activated by default) on my PC, I don't have a problem. And so on and so forth.

Which is why people that point at Linux/Mac and say: "Aha! More insecure than Windows!!" are not truly honest: I have Linux and OpenBSD machines with up-to-date SSH servers, no users, a good password, and no other network service running. These machines are almost perfectly secure -- except when it comes to an OpenSSH vulnerability -- even though there are plenty of applications on them that could be considered obsolete or vulnerable... if you can gain local access in the first place. The only point of vulnerability is OpenSSH. And I update it religiously.

All in all, don't blame Secunia: blame people (especially journalists) who know nothing about security and jump on meaningless numbers pulled out of thin air to blame Linux.

Re:About Secunia (0)

Anonymous Coward | more than 6 years ago | (#21779910)

Secunia presents the vulnerabilities along with the fixes, hences the list they have actually shows vulnerabilities that have been discovered AS WELL AS fixed. Hence it is BETTER that apple has more on that list as those are vulnerabilities that have been discovered and patched. Were it a list of just vulnerabilities I'm sure the Microsoft list would be longer

Re:About Secunia (0)

Anonymous Coward | more than 6 years ago | (#21780948)

Its also important to note that in vista/*nix most xyz applications run with low privelages so cant damage much if exploited
also using; apparmor (slated for ubuntu 8.04), SELINUX (not for noobs) or jail (normal on bsd and the best tool) will lock down all vulnerabilities to the point of vulnerability

Re:About Secunia (1)

thePowerOfGrayskull (905905) | more than 6 years ago | (#21781388)

I have Linux and OpenBSD machines with ... no users... These machines are almost perfectly secure
Erm, aren't all machines perfectly secure when you take the users out of the equation?

Re:About Secunia (2, Insightful)

sumdumass (711423) | more than 6 years ago | (#21781888)

No, Not perfectly. Earlier versions of windows could be exploited without any interaction of any user at all outside the author of an automated virus. Even things in Linux could have the same types of vulnerabilities. Although, it is rare to see automated programs that could exploit them with no user interaction and then replicate and launch another attack somewhere else. This seems to be a windows only thing.

If you said that removing the user removes a significant portion of the vulnerabilities, then you would likely be correct.

Re:About Secunia (1)

thePowerOfGrayskull (905905) | more than 6 years ago | (#21786836)

Hint: without a user, the machine doesn't get turned on ;)

Re:About Secunia (1)

sumdumass (711423) | more than 6 years ago | (#21791234)

Actually, with the power on after reset or whatever the labeling is in the bias, if the power goes out, when it comes back on the computer will start on it's own.

So as long as it is plugged into the wall, it can turn on without any interaction from a user at all.

You might as well have suggested that without computer, every OS is safe. Lets be practical here.

Re:About Secunia (1)

thePowerOfGrayskull (905905) | more than 6 years ago | (#21791652)

Dude, let it go. Seriously. Just let it go. You missed the joke, trying to plow ahead and cover that up isn't making it any better. For further discussion, reference Humor [google.com] , definition of.

Re:About Secunia (1)

sumdumass (711423) | more than 6 years ago | (#21793268)

Hmm, which part was the joke? And isn't jokes supposed to be funny? I guess making an untrue statement could be funny to some. It just didn't seem like it was a joke when the discussion was about security flaws and a good majority of them require a human presence to manipulate, and then the comment about taking them out of the picture negating them.

I'm sorry, I still don't get it. Could you point directly to the funny part?

Re:About Secunia (1)

thePowerOfGrayskull (905905) | more than 6 years ago | (#21800854)

a good majority of them require a human presence to manipulate, and then the comment about taking them out of the picture negating them.
Yep, that's rather the funny part. Though if you don't see it, I strongly suspect I won't be able to explain it any further. It's ok, most people don't have the capacity to enjoy all forms of humor. I probably dont either; no worries.

Re:About Secunia (2)

josephdrivein (924831) | more than 6 years ago | (#21785232)

All in all, don't blame Secunia: blame people (especially journalists) who know nothing about security and jump on meaningless numbers pulled out of thin air to blame Linux.
Except the same meaningless numbers were used to push FF against IE. I recall the "More secure" slogan.
But it's been a while since the last time I heard it. Malice suggests that those numbers aren't very useful to FF lately.

Disclaimer: I'm a Linux user and I use FF regularly.
For what it's worth, I don't wish to start a flame war, but I think we should attempt to be fair.

The Truth About Ron Paul (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21779834)

Source: http://groups.yahoo.com/group/nsmamerica/message/6788 [yahoo.com]

Comrades:

I have kept quiet about the Ron Paul campaign for a
while, because I didn't see any need to say anything
that would cause any trouble. However, reading the
latest release from his campaign spokesman, I am
compelled to tell the truth about Ron Paul's extensive
involvement in white nationalism.

Both Congressman Paul and his aides regularly meet
with members of the Stormfront set, American
Renaissance, the Institute for Historic Review, and
others at the Tara Thai restaurant in Arlington,
Virginia, usually on Wednesdays. This is part of a
dinner that was originally organized by Pat Buchanan,
Sam Francis and Joe Sobran, and has since been mostly
taken over by the Council of Conservative Citizens.

I have attended these dinners, seen Paul and his aides
there, and been invited to his offices in Washington
to discuss policy.

For his spokesman to call white racialism a "small
ideology" and claim white activists are "wasting their
money" trying to influence Paul is ridiculous. Paul
is a white nationalist of the Stormfront type who has
always kept his racial views and his views about world
Judaism quiet because of his political position.

I don't know that it is necessarily good for Paul to
"expose" this. However, he really is someone with
extensive ties to white nationalism and for him to
deny that in the belief he will be more respectable by
denying it is outrageous -- and I hate seeing people
in the press who denounce racialism merely because
they think it is not fashionable.

Bill White, Commander
American National Socialist Workers Party

Re:The Truth About Ron Paul (0)

Anonymous Coward | more than 6 years ago | (#21781732)

Silly socialists, trix are for kids.

Re:The Truth About Ron Paul (0, Offtopic)

mr_mischief (456295) | more than 6 years ago | (#21782116)


Bill White, Commander
American National Socialist Workers Party


You make the same mistake a lot of so-called socialist make. You think that equality and fairness is for your followers, who are all inferior to you. If you considered them your equals, you wouldn't be commanding them. It's an interesting choice of title for someone who's supposed to be for the body of the people.

News? (0, Flamebait)

thatskinnyguy (1129515) | more than 6 years ago | (#21779890)

So his list is based on vendor FUD-slinging? I don't even need to RTFA to know not to waste my time. How is this news?

Room 12a, first door to your left (0, Offtopic)

sm62704 (957197) | more than 6 years ago | (#21779892)

Any operating system can be broken into. A bank vault can be broken into. Any OS can be rooted given an attacker has the expertise.

Any OS can be trojaned, but only one company's OS has viruses and spyware. And I think it incredibly unprofessional (incompetent?) that AV companies can't seeem to tell the difference between a virus and a trojan.

-mcgrew (not the security mcgrew, not the comedian mcgrew, but I do what I can to secure my PC and sometimes I can make people laugh).

Sorry to respond to my own post but (-1, Offtopic)

sm62704 (957197) | more than 6 years ago | (#21779928)

It just struck me that I wish the company that makes my favorite brand of condoms [trojancondoms.com] would change its name.

# of Vulnerabilities!=Acknowledged Vulnerabilities (4, Insightful)

Foofoobar (318279) | more than 6 years ago | (#21780022)

Number of vulnerabilities in a product is not the same thing as the acknowledged number of vulnerabilities in a product. Secunia reports on the number of acknowledged vulnerabilities. Microsoft is known for NOT acknowledging vulnerabilities even though they have been reported to the company and then SUDDENLY fixing them in a patch.

And then unfortunately, their supporters like to bash Linux and Mac for actually working with security agencies and fixing their bugs as well as reporting them. This will forever be the bane of open source and it's benefit... that everyone gets to see its flaws but at the same time, everyone gets to contribute to fix them.

Re:# of Vulnerabilities!=Acknowledged Vulnerabilit (1)

tb3 (313150) | more than 6 years ago | (#21780158)

I'll go you one further; vulnerability != exploit. Show me a tally of exploits in the wild, or better yet, exploits that aren't proof-of-concept. I don't think you find a single one for Macs or Linux, while the number of dangerous exploits for Windows numbers in the tens, or even hundreds, of thousands.

Re:# of Vulnerabilities!=Acknowledged Vulnerabilit (1)

Foofoobar (318279) | more than 6 years ago | (#21780616)

Show me the TOTAL number of vulnerabilities reported (not just the ones acknowledged) vs exploits reported and unreported. That's the problem. They do not like to report their vulnerabilities and large companies using their product do not like to report the vulnerabilities (bad for business you know). So these botnets just keep growing mysteriously for unknown reasons off the Microsoft backbone (Yes, 99% of Microsoft machines are being used for the botnets with Linux machines being used as the master nodes).

Reporting of exploits and reporting of security vulnerabilities requires full disclosure and some people who still believe in 'security through obscurity' as a viable model will never disclose these things.

New Math (1)

huckamania (533052) | more than 6 years ago | (#21782464)

So 1% of Microsoft machines are not being used for botnets?

I must be exceedingly lucky cause I have a few Windows boxes and they aren't part of any botnet. I did have one that got owned pretty bad this year, but it's now running Suse while I figure out if I want to fix the Windows partition (yeah, it was that bad).

Re:New Math (1)

Foofoobar (318279) | more than 6 years ago | (#21782762)

Yeah apparently. It's a pretty enormous figure. There is more than one botnet and Microsoft machines being ubiquitous on desktops around the world, you gotta figure that the their is probably more than 1% that researchers don't see behind firewalls and that the number is OBVIOUSLY an exaggeration but even with that it would mean that millions are still safe machines.

Still how many home users do you know that run as root? That run without updated antivirus? without ANY antiovirus? that open attachments? Etc? Remember that Joe Average is NOT a computer professional and this thing in front of them is STILL a magic box as far as they are concerned; even the next generation of kids who have actually grown up with computers still only know how to use the GUI but don't understand the basics of what the underlying mechanics are and only know basic issues of computer security which will not secure against exploits that allow access to your system to install a root kit.

And I'll bet only 1% of users do active searches for rootkits.

Re:New Math (1)

huckamania (533052) | more than 6 years ago | (#21785454)

If you are part of a botnet, they will notice something. 99% of botnet controlled computers may be Microsoft machines, but there is no way on this green earth that 99% of Microsoft machines are part of a botnet.

Corporations don't let botnets exist on their infrastructure for long, neither does the government and military. Even my ISP will deny you access if you have an infected machine.

Sorry, just don't buy the math.

Re:New Math (1)

Foofoobar (318279) | more than 6 years ago | (#21786768)

If you are part of a botnet, they will notice something
Yep... every single owner of a computer that is owned and part of a botnet knows that they are part of a botnet. They are 100% aware that they are part of a botnet. Now who is being naive?

Re:New Math (1)

huckamania (533052) | more than 6 years ago | (#21794284)

They might not all get a light bulb over their head and think 'O Noes, Ib Pwnd', but most of them will notice that their computer and their internet suck.

If they seriously game, they're going to notice. If they're corporate, they're going to notice. My ISP noticed, it took them about 4 days and I had already quarantined the infected box, but eventually they blocked my router from getting an IP.

My solution was to install Suse. The teenager in my house was up and running in about an hour. He's still a little befuddled by the file system, but for what he likes to do, chat and listen to music, it's a good system. If we ever miss playing Battlefield, I'll just scrub the windows partition and make sure it is used only for gaming.

Lesson: P2P + Windows = a really bad idea... Which I did tell them repeatedly.

Re:New Math (1)

daviddennis (10926) | more than 6 years ago | (#21787750)

Of all the Windows computers I have seen in the wild, the only ones that are not full of spyware and virii are those managed by professional computer people.

The problem is that most people think of their computer as an appliance and have no real understanding of how to use anti-virus/spyware software, even if they have it. The software itself seems to be better at trying to bludgeon people into buying upgrades than it is at actually doing anything to protect systems.

I do not think computer and operating system developers should expect people to understand the care and feeding of anti-virus software, so I just tell people to buy Macs. It's a bit more expensive but a lot less misery and pain. Eventually the Mac may be cracked, but with its 5% market share I think it will be a long time before it will be even 1% as dangerous as running a Windows computer.

D

Fishing for vulnerabilities (5, Informative)

pongo000 (97357) | more than 6 years ago | (#21780042)

Is Secunia presenting slanted information with the expectation it will be misused?

Here's one even better: We use GeSHi [qbnz.com] (Generic Syntax Highlighter) in WikkaWiki [wikkawiki.org] . We often scour the so-called "security vulnerability" databases because we've found many inaccuracies. In this specific case, Secunia issued this statement:

> we noticed the following entry in the changelog for GeSHi 1.0.7.18 and
> are about to issue an advisory based on this information.
>
> "Committed security fix for htmlspecialchars vulnerability. Also makes
> supporting multiple languages a lot easier"
> http://sourceforge.net/project/shownotes.php?release_id=489035 [sourceforge.net]
>
> To serve our mutual customers best we would appreciate to receive your
> comments on this issue before we publish our advisory.


WTF? This was a vulnerability in PHP's htmlspecialchars() function, NOT GeSHi. Yet, Secunia was planning on milking this vulnerability in order to boost its "vulnerability count" at the expense of a project that had absolutely NOTHING to do with the vulnerability.

You see, these so-called "vulnerability experts" try to wring out as many vulnerabilities as possible, because we all know that the most effective "vulnerability expert" will be the one with the most posted vulnerabilities. So they go on fishing expeditions to uncover vulnerabilities that really don't exist.

Or an even worse practice: "bottom-fishing" changelogs and bug trackers in order to discover vulnerabilities that have already been addressed. Here's another instance where Secunia was caught trying to boost its street cred through disingenuous reporting: They apparently scoured our bug tracking database and discovered an issue (already fixed!) and falsely implied in their report that the content of wiki pages marked private might be accessible via RSS. This was clearly false, as the original bug report indicated that the page name (not content) could be accessed. Secunia later corrected [secunia.com] the false report.

We've caught Secunia doing this on several occasions. My advice to anyone who is involved in an OSS project is to regularly scour the vulnerability databases and challenge each and every advisory that you believe is not accurate. You might be surprised at the amount of so-called "vulnerability intelligence" out there that is blatantly false, outdated, or inaccurate.

Re:Fishing for vulnerabilities (2, Insightful)

Bill, Shooter of Bul (629286) | more than 6 years ago | (#21780262)

Yeah, but if the htmlspecialchars was exploitable in geshi, then it was a vulnerability in geshi. You can't ignore vulnerabilities inherit in the language you use. If it was exploitable in geshi, then you in turn exposed the users of geshi to the vulnerability by incorporating the function into your implementation. I mean imagine microsoft claiming that buffer overflows were not its fault, as they were really vulnerabilities in C, not windows/explorer/office ect.

Re:Fishing for vulnerabilities (2, Insightful)

pongo000 (97357) | more than 6 years ago | (#21780560)

Then using this logic, it would be appropriate and fair for Secunia to list every project that is using PHP with the tainted function. Hundreds? Thousands? Tens of thousands? Where are those vulnerability reports?

Again, this goes back to my argument that Secunia simply cherry-picks its reports, penalizing those projects that are most open with their changelogs and issue tracking, often listing so-called "vulnerabilities" after said vulnerabilities have already been addressed (as in this case).

Re:Fishing for vulnerabilities (1)

Bill, Shooter of Bul (629286) | more than 6 years ago | (#21780978)

Yes, I agree. Although, they should give more attention to more widely used products, than obscure ones. Ironically, that may lead to a cycle of people abandoning well known products and adopting the other lesser used one, if the only metric is listed vulnerabilities.

And warning of vulnerabilities that have already been patched is legitimate, IMHO, as many people will not always use the latest version and they would still be at risk.

Re:Fishing for vulnerabilities (1)

kula.shinoda (841770) | more than 6 years ago | (#21784360)

As author of GeSHi I can confirm this is basically how things played out. I sent Secunia a very irate e-mail asking them basically WTF they were smoking, and as far as I can tell they didn't publish a vulnerability for it.

They've tried on other projects I've been on, such as Mahara [mahara.org] . They went trolling through the changelogs of old releases for the word 'security', and hit a git commit that fixed security being too tight on something - and sent an automated email saying they wanted more information about the vulnerability so they could put it in their database! They got another irate e-mail about that one.

Secunia, in my experience, are scum looking to justify their existence rather than actually help.

Re:Fishing for vulnerabilities (1)

Martin Blank (154261) | more than 6 years ago | (#21786950)

Or an even worse practice: "bottom-fishing" changelogs and bug trackers in order to discover vulnerabilities that have already been addressed.

I'm not sure that this is necessarily a bad thing, as people with far more time than I to look for how to make trouble for others are doing exactly the same thing.

If I'm running foo 1.3.2, I may miss that 1.3.3 came out, or may disregard it if I don't think it's imperative that I update, watching for 1.4 to come out. There are a lot of disparate systems that I have to watch out for, and it's not uncommon that a minor upgrade is skipped because it does not clearly offer something that I require or fix some problem that I may be experiencing. However, if I see on a mailing list (BugTraq, Secunia, whatever) that it turns out that foo 1.3.2 has a vulnerability that was fixed in 1.3.3, I'm more likely to look into updating.

Offtopic: (-1, Offtopic)

geminidomino (614729) | more than 6 years ago | (#21780142)

Any other subscribers see the story about the FBI bullet analysis getting shot down? [washingtonpost.com] It was up in "the mysterious future" and has equally mysteriously disappeared...

Re:Offtopic: (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21780316)

Probably because it was a dupe of http://yro.slashdot.org/article.pl?sid=07/11/19/1859230 [slashdot.org]

Re:Offtopic: (0, Offtopic)

geminidomino (614729) | more than 6 years ago | (#21780374)

You must be joking! Slashdot removing dupes is like Microsoft removing backdoors, Apple removing trendiness, and FOSSies removing oppression complexes!

Said it a thousand times. (2, Interesting)

catwh0re (540371) | more than 6 years ago | (#21780166)

..well maybe not a thousand times, but maybe I should. Security of software isn't just a product of how many flaws found. Rather it's an equation of how many people looking for flaws, the nature of the flaw and the reluctance of the company to report it (rather than just silently patching it, or worse just removing the evident symptoms but not the flaw at all.) We all know who I'm talking about with each argument.. Open source, where all changes are viewable, listed (and so on) is much more trustworthy than completely private software where the public discretion comes about from a marketing department. Additionally where the seriousness of a flaw can be completely downgraded by sole discretion.

Again and again and again (4, Insightful)

RAMMS+EIN (578166) | more than 6 years ago | (#21780202)

We keep hearing this again and again and again.

It's very simple, really.

You can _never_ know the relative security of two systems. There simply isn't any way to measure it fairly.

Count disclosed vulnerabilities? What about the vulnerabilities that weren't disclosed?

Have teams search for vulnerabilities and compare the results? What does that tell you? Was one team equally good at finding vulnerabilities in one system as the other was at finding them in the other system? What if one system had many easy to find vulnerabilities, and the other had a couple of severe but harder to find vulnerabilities?

Count actual break-ins? Well, was that due to the system being vulnerable the way the vendor left it, or because of the administrator? What about break-ins you don't know about?

It's always a matter of what you don't know about. You don't know the vulnerabilities that weren't reported. You don't know the vulnerabilities that weren't found. You don't know the relative skills of the teams you used. You don't know if you tested for all possible classes of vulnerability.

And I haven't even mentioned the severity of vulnerabilities, the availability of exploit code, the way vulnerabilities are dealt with by the vendor, and a host of other issues.

The take home message is that you just _can't_ know. It's a hard pill to swallow, but you will just never know which system is more secure. All you have is flawed metrics and your gut feeling.

Re:Again and again and again (1)

RobBebop (947356) | more than 6 years ago | (#21782388)

You can't know for sure, but you can get a pretty good idea fairly quickly using software testing before any release of the product. Your mileage will vary from application to application, but any self-respecting release team will have a set of regression tests to run through to at least give them confidence that they aren't releasing software that has previously discovered bugs in it.

And using a path-analysis software like GCov you can get a feeling that a large body of your code is actually being exercised and returns appropriate results.

And using static analysis tools [wikipedia.org] you can get a feeling that you have crossed your T's and dotted your I's.

So, while analysis of bugs reported in fielded software is a completely flawed metric... there are certainly methods to use before making a release that will give you more than just a "gut feeling" that you software is secure.

Where is the MacOS X malware? (2, Interesting)

Zott and Brock (1204632) | more than 6 years ago | (#21780418)

Windows has hundreds of thousands of known viruses and trojans, but the malware for MacOS X can be counted on your fingers. Just because Apple periodically publishes security updates doesn't mean that these vulnerabilites have ever been found outside of security labs and been exploited in the wild.

Re:Where is the MacOS X malware? (1)

eli pabst (948845) | more than 6 years ago | (#21782042)

That's not really any better metric for comparing security either. OS X has had plenty of security vulnerabilities which have had the potential to be exploited by malware or worms. All that's really required is a remote vulnerability that allows an attacker to upload and execute code. Viruses and trojans are even worse of a means of comparison because most simply rely on tricking a user and don't need any kind of software vulnerability.

Nothing to see there, move along (4, Insightful)

Aaron Isotton (958761) | more than 6 years ago | (#21780430)

When I read the summary, I thought TFA could actually be interesting. But it's not any better than what it is criticizing.

Long story short:

ZDnet published an article comparing Secunia vulnerability counts in Mac OS X and Windows Vista/XP. They spun it the Microsoft way, so Mac OS X loses big time. A mac fanboy wrote a reply spinning it the Apple way.

TFA starts with a long-winded attack against the author of the ZDnet article without ever getting to the point. Let's just say that it talks about Zunes, XBoxes, train wrecks, ballet dancing and many more things.

Then it explains what Secunia does (in about two pages): they track software vulnerabilities which are - among others - reported by the vendors. So "honest" vendors get higher vulnerability counts. Who would have thought.

On it goes by saying that the "border" of an operating system is nowadays blurry; should the vulnerabilities in bundled applications be counted? Even if they are by another vendor?

Then he babbles about how most of the cited vulnerabilites in Mac OS X are related to what he calls "external software" - things such as python, java, perl, samba, tcpdump etc and that those same programs have the the same (or a similar) amount of vulnerabilities on other platforms. What he fails to point out is that Mac OS X *consists* of such "external software" for a big part, and that they are *part* of Mac OS X and cannot be removed easily.

Conclusion: a pointless (and extremely long-winded) article full of Microsoft bashing, as reply to an equally pointless article full of Apple bashing.

the only way to legitimately test this... (1)

buddyglass (925859) | more than 6 years ago | (#21780618)

...is to construct a real-world test and repeat it fairly often, then tally up how each OS performs. Create a monthly or bimonthly hacking "tourney" with a money purse to properly motivate the contestants. Get "normal" IT staff (i.e. not experts hand-picked by MS or the OSS community) to "secure" the competing operating systems, then let the hackers loose.

Unfortunately this only gauges vulnerability to remote exploits, which probably aren't the most common means of penetration and which both systems probably do pretty well at preventing.

Re:the only way to legitimately test this... (1)

gr8scot (1172435) | more than 6 years ago | (#21797200)

You buying?

the only way to legitimately test this is to construct a real-world test and repeat it fairly often, then tally up how each OS performs. Create a monthly or bimonthly hacking "tourney" with a money purse to properly motivate the contestants. Get "normal" IT staff (i.e. not experts hand-picked by MS or the OSS community) to "secure" the competing operating systems, then let the hackers loose.

Vulnerability Counts: Humorous, Not Useful (2, Interesting)

MattW (97290) | more than 6 years ago | (#21781230)

Even if the information about vulnerability counts were pristine, it still wouldn't be useful, and anyone who has been involved in security knows it.

Over the years, there's nearly one flaw in the methodology for every one of these surveys ever released:

* Counting vulnerabilities in services installed by default the same as a service that is optional and not frequently enabled
* Subjective rating of impact (mild/severe)
* Treating remote code execution the same when on one system it is as uid nobody, and on the other, it is as administrator
* Ignoring the ease of use of tools that can actually verify a system's integrity (e.g., tripwire with signatures on RO media
and booted off CD)
* Ignoring what a user may have to do to trigger a vulnerability (ie, visit a web page with a malicious image, vs downloading a dmg file, running an install, and giving your password to elevate to root)
* Ignoring how an operating system enables or discourages user stupidity (ie, hordes of useless, "This program wants to do something, yes/no?" vs rare requests for a password)

And on and on and on. The average PC has over 25 different pieces of Malware installed. I know dozens of people with macs, and I don't know anyone who has had a single piece of malware, ever. I've been running linux for 12 years, desktop and server, and I've had two compromises ever, and both were via wu-ftpd.

Local security is good, but... (1)

argent (18001) | more than 6 years ago | (#21782546)

Largely agree with you, but...

Treating remote code execution the same when on one system it is as uid nobody, and on the other, it is as administrator

Local security does need to be considered, but it shouldn't be depended on. A remote code execution vulnerability is still critical, whether it happens as LOCALYSTEM, root, Administrator, local user, nobody, or in a partial sandbox like a chrooted environment or Microsoft's new sandbox in Vista. Local privilege elevation attacks to exist, and even without privileged access a remote code exploit can launch secondary attacks, log user actions in the compromised application (eg passwords), or run a payload that doesn't require privileged access (eg, a botnet node).

Re:Vulnerability Counts: Humorous, Not Useful (1)

BasharTeg (71923) | more than 6 years ago | (#21783064)

What's funny to me is, Linux kiddies* and Mac fanboys have used # of vulnerabilities to claim how much more secure Linux and Macs are compared to Windows for years. Then when the empirical count of vulnerabilities no longer favors the point they're trying to prove, we get a thousand angry fanboys posting about how stupid the method is. It's blatent hypocrisy.

Linux fanboys* used to do the same thing with narrow performance benchmarks, showing how much faster Linux was than Windows. Once the benchmarks started favoring Windows, it became a "stupid and unrealistic way to compare performance that has no relation to real world performance." Again, the hypocrisy.

What's sad is how frantic and how rabidly they rush to take apart anything that might show Microsoft having a lead in any area. But the same outdated arguments and complaints about vulernabilities in outdated products are getting tired. The fact is, Micrsoft's security is getting better, and their products are improving, due in large part to the challenge presented by open source software. They're still far from perfect, but you're going to find that they will get better and better, and they might take the lead in certain areas while still being far behind in other areas.

What's the big deal? It doesn't take away anything from how great Linux and Mac OS X are at what they do.

*The phrase "Linux kiddies" does not include professionals who deploy Linux for systems where Linux makes sense. I'm talking about rabid fanboys who can't accept that every OS has benefits, and you need to find the one that suits for the problem you're trying to solve.

Re:Vulnerability Counts: Humorous, Not Useful (1)

DECS (891519) | more than 6 years ago | (#21784364)

You seem to be confusing actual live exploits that cause Windows to fall apart, hand control over to botnets, plague the world with spam, install spyware, etc, with vulnerability reports.

Windows does own the market for actual viruses, adware, botnet membership, spyware and other problems.

Secunia and George Ou are publishing numbers of vulnerabilities that suggest the opposite is true. But it's obviously not.

You can try to muddle those two ideas together, and you reveal your bias by describing my outlining of the truth as "a rabbid rush to take apart" something that isn't true, but that only makes you the jackass.

You sound like a a bind-torture-kill neocon complaining that the "liberals" are all upset about a few "high crimes" when the last democrat president was accused of fooling around with a girl, so everything should be equal. That's also why I'm so happy to watch your ship go down.

Vista, Zune, Windows Media, Windows Mobile: good riddance, losers!

Why Microsoft's Copy-Killing Has Reached a Dead End [roughlydrafted.com]
Microsoft's rapid rise to power and its ability to hold onto control over the PC desktop throughout the 90s has long been revered by pundits as a classic example of copying an existing business model and then defeating all competition through price efficiencies, despite the fact that Microsoft's Windows software has only ever gotten progressively more expensive with the passing of time. This copy-killing strategy, also described as "embrace, extend, and extinguish," is now reaching a dead end. Here's why.

Re:Vulnerability Counts: Humorous, Not Useful (0)

Anonymous Coward | more than 6 years ago | (#21787568)

daniel eran can't get an erection without fantasizing about a bound woman being tortured to death. what a sick fuck.

Re:Vulnerability Counts: Humorous, Not Useful (2, Insightful)

51mon (566265) | more than 6 years ago | (#21786230)

It is a common trait to want to reduce everything down to a single number, or something easily compared, especially when most folks have only a very vague definition of the area being compared.

Everyone wants to validate their own prejudices (and some are paid to support other folks interests).

Security is a process, the goal of which is to protect something (usually your data - maybe your hardware - maybe availability or even user sanity!) and (usually at least) to minimize the resources it takes to do it. You can only meaningfully produce numbers when you are more specific than "security" or even "vulnerability".

So it might be possible to say discover the number of bugs that allow arbitrary remote code execution through web surfing (although in some cases the answer might be "may be" for some bugs), using the bog standard install of the OS, installing all the latest patches as soon as they are available, using the vendor preferred web browser. But even then this is only listing discovered vulnerability, so all you have is a number that is almost meaningless to real security, although it is comparable, if that you can use it to compared how safe browsing was. The IE/Firefox days vulnerable is a good example of such a metric, but again it depends on known vulnerabilities.

If someone produced a range of such tests, not just covering vulnerability counts, but covering other things (for example - some one mentioned that users don't always patch - thus the proportion of users who are patched up to date could make a useful metric about how usable the softwares update mechanism is, which I'd suggest is a key security metric).

One might be able to make a case for a rigorous methodology for using a selection of such tests, but that requires serious research and effort, and we already know the result will be; -- most Desktop OSes are less secure than most end users would like if they only understood what all the techie blurb meant --

How about George Ou sucks? (2, Interesting)

GarfBond (565331) | more than 6 years ago | (#21781296)

This is the same guy who (figuratively) fell in love with David Maynor and their associated AirPort exploit back when everyone else was telling them to show the goods. The guy isn't much more than an Apple troll - go through his archives (but don't actually - that gives him advertising hits) and it basically reads as "Apple sucks at this, Apple sucks at that, wah wah wah."

See here [cnet.com] for a brief recap of Ou's idiocy (not a word but still).

Re:How about George Ou sucks? (1)

RandomNick7 (1169243) | more than 6 years ago | (#21795968)

In response to the CNet comment Gutmann has actually responded to Ou (unfortunately it's undated but it seems to be from about September). Based on the behaviour thats documented there Ou comes across as a complete nutcase [cypherpunks.to] . How can anyone take someone like that seriously?

Slashdot's obligatory Apple\Linux defense (1)

n1_111 (597775) | more than 6 years ago | (#21781412)

Face the numbers and don't call it numerology!! Apple OSX is a broken POS, all the lists that are disclosing vulns, support this notion.

The whiniest flame site on earth... (1)

malevolentjelly (1057140) | more than 6 years ago | (#21781890)

Defective by design! Defective by design!Defective by design!Defective by design!Defective by design!Defective by design!Defective by design!Defective by design!Defective by design!Defective by design!Defective by design!Defective by design!Defective by design!Defective by design!

STOP IT STOP IT It's not that clever! It's a play off of the old saying "Deficient by Design" -- and that referred to UNIX!

Roughly Drafted != News Source

It's the most whiny flame blog on earth- stop punishing slashdot readers with it.

My experience with Secunia (4, Informative)

Aram Fingal (576822) | more than 6 years ago | (#21782738)

At one point, I looked over all the Secunia advisories about OS X and came across one which said that OS X would send passwords in clear text without warning when logging into Appleshare volumes and that this vulnerability was "unpatched". I thought this was strange since I had, in fact, seen such warning dialog boxes in OS X. It was in an unusual case where I was connecting from OS X 10.2 to an old 68k Mac running MacOS 8.1. I also remembered seeing that there is an options button when you make an Appleshare connection. If you hit that options button, you get a screen with check boxes for allowing clear text passwords and warning when a clear text password is needed. The default is to allow with a warning. I sent email to Secunia asking for clarification about what circumstances would lead to sending a clear text password without notice. Do those check boxes not actually work? Are the defaults less secure in some cases? I never got a reply but the issue disappeared from the Secunia site. No explanation. Just gone. I wonder if enough other issues have just disappeared to affect the numerology.

never attribute to malace... (1)

v1 (525388) | more than 6 years ago | (#21782954)

It'd be nice if some international body examined the issue of software security risks and established a guideline so we didn't have this ongoing problem of what to call a bug and what not to, and to finally put to bed the notion that notifying users of newly discovered vunlerabilities is bad for security.

I for one would like to see a rating scale that factors in not just the problem, the severity, and the scope, but also the availability of information on the problem. For example, you couldn't score anywhere near a perfect 10 even if the problem was minor and affected very few people, if you failed to tell anyone about it until you had it patched. Failing to disclose a known problem until someone else blew the whistle on you (or released an exploit into the wild) should earn you an automatic zero on the attempt.

Like most other mistakes, in the end security flaws almost always become magnified if you try to hide them.

Either somewhere in their statistical models they have determined that snow white publicity combined with a large number of your customers getting zinged costs them less in the end than fessing up and protecting their customers better. Or they're just being stupid about it.

But I think they're just being stupid about it. Wasn't there a quote something along the lines of "never attribute to malace that which can be adequately explained by stupidity"?

Re:never attribute to malace... (1)

gr8scot (1172435) | more than 6 years ago | (#21797098)

My body has flown to 4 continents so far, so it is "international," and it says that instead of a rating scale, what you should want is publication of the source code so you can correct it yourself or hire the most affordable geek in your neighborhood to do so.

Patent prohibitions of viewing proprietary source code may be acceptable, under standard as-advertised operating conditions, but when source code exposes users to having their computers taken over by computer criminals, I submit that protections of the specific faulty code responsible for identified vulnerabilities be invalidated immediately upon discoveries of such vulnerabilities.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?